How to configure APIX-G to authenticate users from multiple OUs of an LDAP server?
Article ID: KB0083757
Updated On:
| Products | Versions |
|---|---|
| TIBCO API Exchange | ALL |
Description
APIX-G can be configured to authenticate users from multiple OUs in both bind and search modes.
Issue/Introduction
This article provides samples to configure the API Exchange Gateway engine to authenticate users from multiple OUs of an LDAP server.
Environment
All supported platforms.
Resolution
There are two ways to achieve this requirement:
1). Configure LDAP Authentication in search-mode. For this, the following properties can be set:
userSearchExpression=
userSearchBaseDN=
userSearchScopeSubtree=true
The value for userSearchBaseDN can be set with the root OU/directory of all the OUs from which users have to be authenticated and with userSearchScopeSubtree set to "true" all the sub-directories/OUs will be used for the search.
2). When LDAP authentication is configured in bind-mode, the value for userDNTemplate should provide the fully-qualified DN of the user on the LDAP server. For example:
<>
If userDNTemplate=cn={0},ou=Support,dc=tibco,dc=com, it can authenticate users in the 'Support' OU.
If the incoming request has user4, then while binding with LDAP, "cn=user4,ou=Support,dc=tibco,dc=com" is used.
Similarly, userDNTemplate=cn={0},ou=PSG,dc=tibco,dc=com, it can authenticate users in the 'PSG' OU.
For the requirement of APIX-G to be able to authenticate(bind) users in different OUs, the following are some sample settings:
- setup my userDNTemplate as "{0},dc=tibco,dc=com
- and send usernames(in the request) for this config as:
cn=user4,ou=Support
cn=user5,ou=PSG
Attached is log file (Filename: MultiOU_auth_testing.log) which shows some sample transactions for this config. Also attached are sample properties files (Filename: LdapAsp.properties and LdapAsp_searchMode.properties) for bind and search modes.
1). Configure LDAP Authentication in search-mode. For this, the following properties can be set:
userSearchExpression=
userSearchBaseDN=
userSearchScopeSubtree=true
The value for userSearchBaseDN can be set with the root OU/directory of all the OUs from which users have to be authenticated and with userSearchScopeSubtree set to "true" all the sub-directories/OUs will be used for the search.
2). When LDAP authentication is configured in bind-mode, the value for userDNTemplate should provide the fully-qualified DN of the user on the LDAP server. For example:
<>
If userDNTemplate=cn={0},ou=Support,dc=tibco,dc=com, it can authenticate users in the 'Support' OU.
If the incoming request has user4, then while binding with LDAP, "cn=user4,ou=Support,dc=tibco,dc=com" is used.
Similarly, userDNTemplate=cn={0},ou=PSG,dc=tibco,dc=com, it can authenticate users in the 'PSG' OU.
For the requirement of APIX-G to be able to authenticate(bind) users in different OUs, the following are some sample settings:
- setup my userDNTemplate as "{0},dc=tibco,dc=com
- and send usernames(in the request) for this config as:
cn=user4,ou=Support
cn=user5,ou=PSG
Attached is log file (Filename: MultiOU_auth_testing.log) which shows some sample transactions for this config. Also attached are sample properties files (Filename: LdapAsp.properties and LdapAsp_searchMode.properties) for bind and search modes.
Attachments
Feedback
Yes
No
Powered by
